Add reproducible.archlinux.org instance

Create a new VPS for running the master rebuilderd daemon which
coordinates the rebuild tasks to rebuilderd ndoes.

Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl>

group_vars/all/vault_rebuilderd.yml

@@ -0,0 +1,12 @@
+$ANSIBLE_VAULT;1.1;AES256
+37393734383433333465653531663339353262306139633039636566343235626335643030326135
+3730303732663531393832666337383339306531306663320a313030613462376261623037316461
+33313336653037623964346131323436373331393932306338326463653932643038333436663834
+6666343266343738310a366666326464326338656435363263633834616431636237653134356232
+32323466613738633663313232653661363832643766363763303439373732306435643364386365
+39666330646564346637313263623430363562646535383264633435353363396662363834353130
+30356661333537336139303362366537616330656636666336356332333130656635333565333835
+64303837653965336535316263346466356264653566383130303434663930333832633634336163
+30336131656666663563633936356465326135386265373761646161646133393534346535363332
+31663339613166353964343864626231316332373433323266393037376462316439353936326638
+623866663534303733323366323465616665

host_vars/reproducible.archlinux.org

@@ -0,0 +1,11 @@
+---
+
+filesystem: btrfs
+zabbix_agent_templates:
+  - Template OS Linux
+  - Template App Borg Backup
+  - Template App HTTP Service
+  - Template App HTTPS Service
+
+fail2ban_jails:
+  sshd: true

hosts

@@ -76,3 +76,5 @@ repro2.pkgbuild.com
 
 [memcached]
 apollo.archlinux.org
+
+reproducible.archlinux.org

playbooks/reproducible.archlinux.org.yml

@@ -0,0 +1,16 @@
+---
+
+- name: setup reproducible builds rebuilder
+  hosts: reproducible.archlinux.org
+  remote_user: root
+  roles:
+    - { role: common }
+    - { role: tools }
+    - { role: firewalld }
+    - { role: sshd }
+    - { role: unbound }
+    - { role: root_ssh }
+    - { role: borg-client, tags: ["borg"] }
+    - { role: certbot }
+    - { role: nginx }
+    - { role: rebuilderd }

roles/rebuilderd/defaults/main.yml

@@ -0,0 +1,2 @@
+rebuilderd_domain: reproducible.archlinux.org
+rebuilderd_nginx_conf: /etc/nginx/nginx.d/rebuilderd.conf

roles/rebuilderd/tasks/main.yml

@@ -0,0 +1,32 @@
+- name: install required packages
+  pacman: name=rebuilderd state=present
+
+# TODO: remove when repro is released with https://github.com/archlinux/archlinux-repro/pull/73
+- name: import bootstrap gpg key
+  command: gpg --auto-key-locate nodefault,wkd --locate-keys pierre@archlinux.de
+
+- name: create ssl cert
+  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ rebuilderd_domain }}' creates='/etc/letsencrypt/live/{{ rebuilderd_domain }}/fullchain.pem'
+  when: 'rebuilderd_domain is defined'
+
+- name: configure rebuilderd.conf
+  template: src=rebuilderd.conf.j2 dest=/etc/rebuilderd.conf owner=rebuilderd group=rebuilderd mode=0660
+
+- name: configure rebuilderd-sync.conf
+  template: src=rebuilderd-sync.conf.j2 dest=/etc/rebuilderd-sync.conf owner=rebuilderd group=rebuilderd mode=0660
+
+- name: make nginx log dir
+  file: path=/var/log/nginx/{{ rebuilderd_domain }} state=directory owner=root group=root mode=0755
+
+- name: set up nginx
+  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/rebuilderd.conf owner=root group=root mode=0644
+  notify:
+    - reload nginx
+  when: 'rebuilderd_domain is defined'
+  tags: ['nginx']
+
+- name: enable and start rebuilderd
+  systemd: name=rebuilderd enabled=yes state=started
+
+- name: enable and start rebuilderd timer
+  systemd: name=rebuilderd-sync@archlinux-core.timer enabled=yes state=started

roles/rebuilderd/templates/nginx.d.conf.j2

@@ -0,0 +1,38 @@
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  {{ rebuilderd_domain }};
+
+    access_log   /var/log/nginx/{{ rebuilderd_domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ rebuilderd_domain }}/error.log;
+
+    include snippets/letsencrypt.conf;
+
+    location / {
+        access_log off;
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ rebuilderd_domain }};
+
+    access_log   /var/log/nginx/{{ rebuilderd_domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ rebuilderd_domain }}/error.log;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ rebuilderd_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ rebuilderd_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ rebuilderd_domain }}/chain.pem;
+
+    location /api {
+	    proxy_pass http://127.0.0.1:8080;
+    }
+
+    location / {
+	    access_log off;
+	    default_type text/plain;
+	    return 200 'Arch Linux Rebuilderd Instance https://wiki.archlinux.org/index.php/Rebuilderd';
+    }
+}

roles/rebuilderd/templates/rebuilderd-sync.conf.j2

@@ -0,0 +1,6 @@
+[profile."archlinux-core"]
+distro = "archlinux"
+suite = "core"
+architecture = "x86_64"
+source = "https://mirror.pkgbuild.com/core/os/x86_64/core.db"
+excludes = ["gcc*"]

roles/rebuilderd/templates/rebuilderd.conf.j2

@@ -0,0 +1,11 @@
+[http]
+# it is highly recommended to bind to localhost and setup nginx as a reverse proxy for https
+bind_addr = "127.0.0.1:8080"
+
+[auth]
+# set the generated secret for administration here
+#cookie = "{{ vault_rebuilderd_auth_cookie }}"
+
+[worker]
+# set the generated secret for our workers here
+signup_secret = "{{ vault_rebuilderd_signup_secret }}"